Skip to content

Commit

Permalink
test/openssl/test_pkey_dsa.rb: skip all tests in FIPS mode
Browse files Browse the repository at this point in the history 
OpenSSL running in the FIPS mode will stop supporting DSA key
generation and signature generation due to a FIPS 140-3 requirement.
Although it appears that FIPS 186-5 still allows signature
verification in some cases, there would be little point in writing such
a specific test case.

DSA will still be tested if OpenSSL is not running in the FIPS mode.

test_generate_on_non_fips is merged to test_generate again.
  • Loading branch information
@rhenium
rhenium committed Aug 5, 2024
1 parent 3982fe7 commit 3651884
Showing 1 changed file with 10 additions and 13 deletions.
23 changes: 10 additions & 13 deletions test/openssl/test_pkey_dsa.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
if defined?(OpenSSL) && defined?(OpenSSL::PKey::DSA)

class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
def setup
# May not be available in FIPS mode as DSA has been deprecated in FIPS 186-5
omit_on_fips
end

def test_private
key = Fixtures.pkey("dsa1024")
assert_equal true, key.private?
Expand Down Expand Up @@ -31,6 +36,11 @@ def test_new_break
def test_generate
# DSA.generate used to call DSA_generate_parameters_ex(), which adjusts the
# size of q according to the size of p
key1024 = OpenSSL::PKey::DSA.generate(1024)
assert_predicate key1024, :private?
assert_equal 1024, key1024.p.num_bits
assert_equal 160, key1024.q.num_bits

key2048 = OpenSSL::PKey::DSA.generate(2048)
assert_equal 2048, key2048.p.num_bits
assert_equal 256, key2048.q.num_bits
Expand All @@ -42,17 +52,6 @@ def test_generate
end
end

def test_generate_on_non_fips
# DSA with 1024 bits is invalid on FIPS 186-4.
# https://github.com/openssl/openssl/commit/49ed5ba8f62875074f04417189147fd3dda072ab
omit_on_fips

key1024 = OpenSSL::PKey::DSA.generate(1024)
assert_predicate key1024, :private?
assert_equal 1024, key1024.p.num_bits
assert_equal 160, key1024.q.num_bits
end

def test_sign_verify
# The DSA valid size is 2048 or 3072 on FIPS.
# https://github.com/openssl/openssl/blob/7649b5548e5c0352b91d9d3ed695e42a2ac1e99c/providers/common/securitycheck.c#L185-L188
Expand Down Expand Up @@ -135,8 +134,6 @@ def test_DSAPrivateKey
end

def test_DSAPrivateKey_encrypted
omit_on_fips

# key = abcdef
dsa512 = Fixtures.pkey("dsa512")
pem = <<~EOF
Expand Down

0 comments on commit 3651884

Please sign in to comment.